Keeping your blog/website secure is as important as creating it. WordPress Security is an important matter and deserves equally as much attention as Search Engine Optimization. Your blog is a reflection of who you are, or what your business is, and hence, it is of utmost importance that you spend time and resources on protecting your image, or your business’ image.
Unfortunately, even after knowing the importance of keeping the blog secure, a lot of us do not pay enough attention to it. We take the security of our blog for granted, thinking that nothing will happen, and suddenly, we see our blog affected by a SQL injection attack, or DDoS attack, or brute force attack, and what not attack. We end up losing all the effort, and also our image goes down with it. But fortunately, there is a way out of this, and it is taking measures to keep your blog secure.
Well, theoretically, there are a lot of things which you can do, to keep your blog safe from attacks. There are different kinds of attacks that your blog is vulnerable to, and a lot of things can be improved to keep it safe. For one, keeping your WordPress core up to date is a way of keeping your blog safer. But all these measures ultimately drill down to one, and that is using the right security plugin so that it does what you need to keep your blog secure.
Interesting fact: An average wordpress website is attacked 44 times everyday. There are people who have already written codes to automate this process of finding targets and trying to hack them. It is up to you, to keep your blog safe from such attacks.
But then, we have heard time and again, that installing too many plugins make the blog slow, and is we should use as fewer plugins as required. So the question arises, do we really need a plugin to keep our WordPress blog secure? Is the CMS not secure enough? Well, let’s find out.
Isn’t WordPress Secure Enough?
It makes sense to question the security level of the CMS you are putting your entire business on. So the answer in a single word is Yes, WordPress is secure enough. The developers are WordPress are smart enough to make the CMS secure, and it is getting better with each update. Finding vulnerabilities in WordPress is not an easy task. But, the core WordPress is not the only code that makes your site. We use a lot of addons such as plugins, themes, external hosting, etc. And when we use all this external code, it is entirely possible that security vulnerabilities are bound to come along with them.
Other than that, we might also be using easy to break passwords and usernames for our WordPress blog, which again adds one more avenue for compromise. So all in all, despite of having a secure enough WordPress core, it does not make your website completely secure.
And that is where these security plugins come into action. They work on such vulnerabilities and add an extra layer of security to your blog.
Even with all the security features that WordPress brings to the table, we can not overlook the fact that “HaCkErS aRe sMaRt“. In a recent CTF writeup I read, a person was able to perform SQL injection even when the site was protected from sqli attacks, by playing with the raw values of the MD5 function. So it is always better to be as secure as possible, and until you are not google (into which every hacker wants to break into), you will do just fine.
6 Best WordPress Security Plugins for Free
Let us now take a look at the 7 most popular (and useful) WordPress security plugins out there.
Sucuri is probably the most popular WordPress security plugin out there. It is also rated highly in the WordPress community with the average rating being 4.4 stars out of 5. Sucuri has a pretty clean interface for its dashboard and shows all the important things you need to know, in the plugin’s dashboard.
The dashboard basically consists of Audit logs, links, iframes, and all the js scripts running on the server, and it makes sense because these are all the external codes that may contain security loopholes. Other than these, the Sucuri dashboard shows scan results, some basic information about WordPress core, and recommendations to increase the security.
While the free version is pretty basic, the real value is when you purchase the paid version. I would recommend you to either use the paid version or look out for other alternatives, as they provide better features than the free version of Sucuri gives. But, if you are willing to spend that kind of money, then you should definitely consider purchasing Sucuri because it provides some unique features which no one else does.
- Recover hacked blogs – First and foremost, Sucuri takes care of your hacked blog and helps you recover it if you are using a paid version of the plugin. Alternatively, you can also pay them to recover your blog.
- CDN – Sucuri provides website acceleration, caching, and a CDN so that all your traffic comes filtered through their server, and the malicious traffic is already bypassed.
- Cloud-based firewall – Its firewall protects you from all types of security attacks such as DDOS, Brute force, SQL Injection, XSS, etc.
- Patches security vulnerabilities – Sucuri provides patches and fixes for vulnerabilities if they are encountered.
- Clean UI and informative dashboard – It also provides a very clean UI, and all-important stats are present in the dashboard, as explained earlier.
Sucuri has a free version that can be installed directly using the WordPress plugin option.
The paid version comes with Basic, Professional, and Business plans and costs 199$, 299$, and 499$ each.
MiniOrange’s 2 Factor plugin is another great plugin available in the WordPress repository. Even though it provides a lot of security options, the reason it is used (and is popular) is the two-factor authentication feature.
This feature allows you to add an extra layer to security to your login page. The main crux of this feature is that you can add a set of security questions, which will be asked to the user at the time of login. If you fail to answer those questions, it has an OTP based verification system to get you in, in which, the OTP is shown on an external app, which you download on your phone.
In my opinion, it is a pretty cool feature and it protects the site from the most popular Brute Force attack, where it makes login by hacker almost impossible, even if you use an easy username or password.
Other than that, it also provides a firewall for blocking IPs, limiting requests from a particular IP, and for blacklisting and whitelisting IPs. Let us take a look at some features of this app.
- 2 Factor Authentication – This is the main reason why this plugin is so popular, as it adds a layer of security against brute force attacks, and also protects the blog in case your password gets compromised.
- IP blocking – It allows you to block, and unblock IPs, and also add a limit to the number of requests from an IP.
- Malware Scan – This plugin also scans your website’s themes, plugins and external code for vulnerabilities, and provides you relevant reports.
The best part is, all these features are available in the free version. So using the free version is definitely worth it.
The free version of the plugin also has a lot of good options for security and provides three authentication methods. Other than that, there are paid versions with more features, and more authentication methods.
Wordfence is again a very popular security plugin for WordPress. It comes in two parts, where one is for Firewall and malware scan, and the other part is for login security.
The version for login security allows you to enable two-factor authentication, login and registration CAPTCHA, and also provides XML-RPC protection.
The version for malware scan and firewall protects from other types of attacks like DDOS attacks, or SQL injection, etc. It also protects the site by detecting existing malicious code and protecting the site from insider breaches. While the Wordfence firewall is extremely effective, it has one downside, and it has an endpoint firewall instead of a cloud firewall, which might make the requests a little slow, but according to Wordfence, it makes the site more secure, so it works both ways.
- Leaked password protection – WordFence checks from a list of breached passwords publicly available, and notifies you in case your password is among those.
- Repairs malicious files – WordFence helps you to prevent an attack, and also recovering from an attack, by repairing malicious files.
- Two-factor authorization – Just like other plugins, WordFence also provides TFA to protect your site from BruteForce attacks, and compromised login credentials.
- Malware scans – This is pretty obvious, but Wordfence runs malware scans inside your codebase and notifies you in case of vulnerabilities.
WordFence is available as both free and premium versions with the premium version adding more features like RealTime IP blacklist, premium support, country blocking, reputation checks etc.
The premium license is available for 99$/year.
All in one wp security is another great plugin that comes with a plethora of customizable options to take control of the security of your blog. It comes packed with multiple features like logging WordPress data, security audit, malware scan, and a firewall. It also has a dedicated section for database security and file system security, which are really nice.
The database security option allows you to change the DB prefix from the default value to something else, so that it is safe from automated attacks.
Similarly, the filesystem security option allows you to manage edit access to various different files, by plugins and by other users. This adds another layer of security.
It also offers spam protection, which allows you to add a captcha to your blog comments, and prevents bot submissions.
- Security features classification – Classifies security measures as basic, intermediate, and advanced depending on the scale they work, and if they might break any functionality or not.
- Security point score – The dashboard shows you a security points score, where you can see what your current score it, and what is the maximum achievable score.
- Critical feature status – It shows you all the basic features, which you should have in your website to achieve at least, a bare minimum level of security.
All in one wp security and firewall is available for free on the WordPress store
iThemes Security is another option you have when it comes to WordPress security plugins and it is pretty neat. It comes bundled with 30+ ways to make sure that your WordPress website is not under any threat.
iThemes Security plugin also logs activities of all users, protects your site from brute force attacks by enabling two-factor authentication, scans for malware, and does all the basic and advanced things you expect from a security plugin. The good thing about this plugin is that it automatically applies basic settings with just a single click, and they can be altered later as per need.
- Plugin scans and 404 detection
- Allows you to limit login attempts
- Two-factor authentication
- Scans the code for malware and potential security threats
- Automated email alerts, in case of a breach attempt, or if a malicious file is uploaded to the server
A free version of iThemes security is available on the WordPress plugin store, and a pro version with additional features may be purchased from the iThemes website for 64$/year/site.
To be honest, BulletProof security has a pretty ugly dashboard. But that shouldn’t bother us much as long as it is getting the job done. It has some good security features which allow it to be on the list, despite not having a very good UI.
A good thing is the setup wizard which automatically does all the basic changes you need in your site, in under 30 seconds. Other than that, it comes with a malware scanner, firewall, login security, DB Backup, Anti-Spam & much more.
- One-click setup wizard
- htaccess firewall protection against XSS, RFI, LFI, CSRF, CRLF, Base64, Code Injection, SQL Injection
- JTC Anti Spam and Anti hacker feature for the pro version, and a lite version of this feature for the free version.
- Database backup, logs and table prefix changer
- Maintainance mode allows creating a unique coming soon page, where you work the same way as before, and your users see the coming soon page.
Bulletproof security comes with a basic version(which is pretty good tbh) for free, and then there is a pro version which costs around 70$ for some additional features
So these are the 6 free security plugins that I consider good enough. It is pretty clear by now, that almost all the plugins do provide basic features like malware scans, firewall protection, login security, etc. So one thing which makes some difference is the support you get while using the plugin, and if your website gets hacked.
In that case, premium plugins would definitely provide priority support to you. In that case, sucuri does provide you guarantee that your site will be taken care of, in case your security is breached.
Other than that, there are certain small features, which are present in some plugins, and missing in some. So you can take a look at the options, and then make a decision. If you have questions, let us know in the comments below.